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Annwdm eA t ?^ to t|ie Claims 

1 Claim 1 (cuirently amended): In a computing environment having a plurality of secure network 

2 connections connecti o n to a Hc t vrorky a computer program product for securely propagating 

3 security cr^entials using a trusted authenticating domain, the computer program product 

4 embodied on one or more computer-readable media and comprising: 

5 c o mpu t c r* ftadablc pro g r am c ede n tcagis for ■es teblisfaLuie A s e cure connection be t ween a 

6 clien t and a pasyw or d s yn ch ro nizati o n agent (PSA); 

7 computer-readable program code means for receiving, at the PSA by a password 

8 yy^ rlimfiiyati on agent f"PSA'0 &om auserata [[the]] client device over [[the]] a first secure 

9 connection between the client device and the PSA on which the PSA has authenticated itselfto 

10 the client device, a password propagation remaest providing an identifier of Ifall the user and an 

1 1 identifying secret of the us ei during pnjpag4tiou icquesL pincessing ; 

1 2 computer-readable program code means for validatiiTg the user with tlic f Qjrwarding. bv 

1 3 the PSA to a trusted authenticating domain over a second secure connection therebetween on 

1 4 which the trusted autfaenti catinp ttoma inJias autfaenticated itself toiheJ^A. [[using]] the 

1 5 received user identifier and identiignuQ^ secret, on tcqucst o f t h e PSA wherein the trusted 

16 autfaiaiticatiDg domain stores identifyinp secrets for user identifiers only as secured, non- 

17 recoverable versions thereof: 

18 computer-readable rMiQgram code me ans for receiving, bv the PSA from the trusted 

19 authenticating domain over the second connection, a validation result created bv the trusted 

20 authenticating domain responsive to the forwarding, the validation result being a succcssfid result 

21 if it indicates that the tmsted guthenticatitig domain had previously stored, for the user identifier. 
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22 a secured versdcm of the identifvinp secret: and 

2 3 computer-readable program code means for propagatin g- if the validation result is the 

2 4 successful result, the received user identifier and identifying secret o f the user dir ec tly from the 

25 PSA to a master regi str y if the validati o n succeed s over a tjiif d mutually-authenticated secure 

26 connection therebetween^ such that the master registrv can store, for the user identifier^ a secured 

27 version of the idmtifving secreL wherein the secured versiqn stored by the master registry ii^ not 

28 required to be identical to the secured version stored at the trusted authenticating domain . 

Claims 2-3 (canceled) 

1 Claim 4 (currently amended): The computer program product according to Claim 1, further 

2 comprising computer-readable program code means for propagatin g, if the validation result is the 

3 succ^Mjcesult. the received idejitiJ^^ng secret jBcomJfeeJPSA to one or more [[other]] target 

4 registries over fourth mutuallv-^authenticated secure connections, each of the fourth connections 

5 being between the PSA and a distinct one of the target registries, such that each target reristrv 

6 caiLStore^JBarJBMi^^ identifying secret if t he r alida tkm 

7 s ucce e ds. 

Claim 5 (canceled) 

1 Claim 6 (cuirently amended): The computer program product according to Claim 1, f u rther 

2 comprisuig: 

Serial No. 09/614,087 A- Docket RSW9-2000-0074-US1 
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3 cow p utw&acbble piufciam k^udc means f o r obla i j^j g ig wherein the password propagadon 

4 request further provides an identificatzan of the trusted authentjcdting domai n fr o m tlie viscr 

5 duripg tliL propagation r equ es t pr ocessing; and 

6 further comprising coniputer-teadabie program code means for verifying that the trusted 

7 authenticating domain is trusted by the master registry as a prerequisite to the propagadng. 

1 Claim 7 (currently amended): Ihe computer program product according to CI aim 1 , further 

2 comprising: 

3 computer-readable program code means for obtainm g._byLtfie PS A nsmg thg thirA 

4 connection, an identification of the trusted authenticating domam from the master registry asa 

5 prerequisite to the forwarding . 

1 Claim 8 (currently amended): The computer program product according to Claim 6, wherein the 

2 master registry stores trust policy information, and wherein the computer-readable ptt)gram code 

3 means for verifying that the trusted authenticating domam is trusted further comprises computer^ 

4 readable program code means for checking whether the stored trust policy information for the 

5 xiser identifier includes the femsted auth finticati>yr dmnflin identification o btain e d fiom the u&a ' 

6 provided in the password propagation request . 

1 Claim 9 (currently amended): The computer program product according to Claim 6, wherein the 

2 master regi stry stores trust policy information, and wherein the computer-readable program code 

3 means for verifying that the trusted authenticating domain is trusted further comprises computer- 
Serial No. 09/614,087 -5- Docket RSW9-2000-0074-US 1 
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4 readable program code means for checking whcJther the stored trust policy infoimation for a user 

5 group of which the user identified bv the user identifier is a member includes the tQi§ted 

6 authenticating doniaia identificatio n o b t aine d fro m fhc use r provided in the password 

7 orQt3>agation request 

1 Claim J 0 (currently amended): ITie computer program product according to Claim 7, wherein 

2 the master registry stores trust policy information, and wherein the computer-jrcadable program 

3 code means for obtaining the identification of the trusted authenticating domain from the master 

4 registry further comprises computer-readable program code means for obtaining the trusted 

5 authenticah 'ng dnmain identification using the stored trust policy information for the user 

6 identifier - 

1 Claim 1 1 (currently amended): The computer program product according to Claim 1^ wherein 

2 the master registry stores trust policy infoimation, and vsterein the computer-readable program 

3 code means for obtaining the identification of the trusted authenticating domain from the master 

4 registry fiirther comprises computer-readable program code means for obtaining the trusted 

5 authenticatir fp d^rmflii^ identification using the stored trust policy hifbrmation ibr a met group of 

6 which the user identified bv the user identifter ts a member. 

1 Claim 1 2 (currently amended): The computer program product according to Claim 4, wherein 

2 the master registry stores password synchronization policy information, and wherein the 

3 computer-readable program code means for propagating the received identifying secret to the one 

Serial No. 09/614,087 -6- Docket RSW^2000-0074-US1 
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4 or more [[other]] tatget registries further comprises computer-readable program code means for 

5 identifying the one or more other target registries using the stored password synchronization 

6 policy inforraation for the user jdeotifieT . 

1 Claim 1 3 (currently amended): The computer program product according to Claim 4, wherein 

2 the master registry stores password synchronization policy information, and wherein the 

3 computer-readable program code means for propagating the received identi^ng secret to the one 

4 or more {[other]] target registries fiirther comprises computer-readable program code tneans for 

5 identifying the one or more other target registries using the stored password syndmnization 

6 policy infotmation for a user group of which the user identified by the user identifier is a 

7 merribec* 

ClaiiTis 14-17 (canceled) 

1 Claim 1 8 (currendy amended): The computer program product according to Claim 1 , wherein 

2 the previously-stored secured version pf the i,4efflffi^ pecyct was created, at the tms^ed 

3 authenticating domain^ by computerH - eadable pr o g r am cede means for validatmg f urth e r 

4 compilALAi 

5 computfc i' ^ f eadabte pro g r am code means for perfo rmit)g a security function on a 

6 previously-received copy of the r eceived i dentifying secret of the user, wherein the security 

7 fimction comprises one of (i) a one-way hashing algorithm or (ii) an encryption algorithm; 

a computcN ig adable pi ogian r t s odc means for iisijig t h e r e c e i v ed us& r idcntifici ' t o l o cale a 

Serial No. 09/614,087 -7- Docket RSW9-2000-0074-US1 
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9 pmvi cr u&ly ^ AtuitJ idmlifyiug secict of the uwr which wa$ st o r e d by tlic tr us te d Authenticating 

10 dotnain^'^and 

11 wfaereia the s€^uiityJ5mction is lepeated at the tr usted atrfbeattcating domain^ onJhe 

12 forwarded identify inp ag ^t of the user, after which, if a resultt hereof is identical to the 

13 previously-stored secured version^ the trusted autfaenticatinp doma in then creates the successful 

14 resuh c o ni p utefreadAblL giufetam code means fo r concluding that U t c validation succeeds if the 

15 loca t ed ide ntify ing secret is identical to a r esult of p e rfor mhig the secu r i t y ftm d ion . 

1 Claim 19 (currently amended): The computer program product according to Claim 1 , wherein 

2 the validation result is created, at the trusted authenticating domain, hv coni p ute r Tcadablc 

3 program c o de mean s f o x validatmg f urthe r comprises c o mpt rter -'ieadable piogi - ain co Jl uiljois f or 

4 invoking an authenticated LDAP bind or other native authentication mechanism of the trusted 

5 authenticating domain, T^toe in the re c ei ved using the forwarded user identifiei of tlie user and 

6 the irccrraHdentifying secret of the use r, and wherein the validatioiLresult Is cre ated using a 

7 result of the ^DAP bind or other native authentication mechanism die ua&scd to thtL trusted 

8 Authejiticating domain, thcicbyeausing the trusted auUjeuLi eating domain to validate the pass e d 

9 identifier and identify ing secre t and re t nm a r esult which r ep or ts a s u cc e s s or failm e uf tlie 
10 ir aUdati o u . 

1 Claim 20 (original): The computer program product according to Claim 1 , whemii the PSA has 

2 administrative authority for performing operations at tfie tn^er regi stry . 

Serial No, 09/614,087 -8- Docket RSW9-2000-0074-US1 
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1 Claim 21 (currently amended): The compxiter program product according to Claim 4, wherein 

2 the PSA has administrative authority for perfomiing operations at the one or more [[other]] target 

3 registries. 

1 Claim 22 (cuirently amended): A system for securely propagating security credentials using a 

2 trusted authenticating domain^ comprising: 

3 mcam for crtablislilng a secuxt cumjccti o n bc t wceu a client and a pasa Tro rd 

4 synch n> niza t i o n agent (PSA); 

5 means for receiving, a t ti ic PSA bv a password syndtronization afgent CTSA"^ from a 

6 user at a [[the]) client dgvioe over [[the]] a first secure cotmection between the client device and 

7 theJBSA Qn^vlrhich the PSA has authenticated itself to the client devioc, a password propagation 

8 f^quejrt providing an identifier of [[a] j ^ user and an idratifying secret of the us er during 

9 pi n pagatioi T r equest pr ocessing ; 

1 0 means f or validating tlie ustf with th e forwanHiTif T. bv the PSA to a trusted authenticating 

11 domain over a second secure connection therebetween on which the trusted authenticating 

1 2 domain has authenticated itself to the PSA, [[using]] the received user identi6er and idenctifying 

13 secret o n r e q uest o f the PSA wherein the trusted authenticating domain stores identifying secrets 

14 for user iden tifiers only as secured, n on-recoverable versions thereof: 

15 mennR fnr receiving, by the PSA fix>m the trusted authenticating domain over the second 

16 connection, a validation result created bv the trusted authe tititiatiti p domain responsive to the 

17 fnrwarHi'np , the validation result being a successfiil result if it indicates that the trusted 

18 authenticating domain had previously stored, for the user identifier- a sec ured version of the 
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1 9 identifving secret and 

2 0 means for propagati ng, if the validation resxilt is the succesafU result the received user 

2 1 identifier and identifying secret of the user direal^r f rom the PSA to a master registry4ftbc 

22 valida t i o n succeeds over a third mutually-authenticated secure connectioii therebetween, such 

23 that the master repistrv can store. &r_the_user identifier^ a secured version ofthe identifving 

24 SGCteL wherein the secured version jstored by the master registry is not required to be idciitical to 

25 the secured version stQted_at_the ttostcd authenticating domain . 

Claims 23 - 24 (canceled) 

1 Claim 25 (currently amended): The system according to Claim 22, further comprising means for 

2 propagati ng, if the validation result is the sioccssful result the received identifying secret fix)m 

3 theJPSA to one or more [[other]] target registries over fourth mutually-authenticated secure 

4 connections, each of the fourth coimections hemg hetween the PSA and a distinct one of the 

5 target registries, such that each target registry can store, for the user identijSer, a secured version 

6 of the identif\^nij! secre^t if the validati o n wiccccds. 

Claim 26 (canceled) 

1 Claim 27 (currently amended): The system according to Claim 22, farther comprising; 

2 means for obtaiiiin j L wherein the password propagation request further provides an 

3 identification of the trusted authenticating domai n fiuni tlie, u^ i: du r ing the p r o pagati o n r cq taeat 

Serial No. 09/614,087 -10- Docket RSW9-2000-0074-US1 
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4 p ro ces sing ; and 

5 further comprisine means for verifying that the trusted authenticating domain is trusted by 

6 the master registry as a prerequisite to the propagaliiig. 

1 Claim 28 (cuirenlly amended): The system according to Claim 22, further comprising: 

2 means for obtaini ng, bv the PS Ajusing the third cnnnectiViTi^ an identification of the 

3 trusted authenticating domain firom the master registry as ajprerequisite to the forwarding . 

1 Claim 29 (currently amended): The system according to Claim 27, wherein the master registry 

2 stores trust policy information, and wherein the means for verifying that the tni^ed 

3 authenticating domain is trusted further comprises means for checking A^ether the stored trust 

4 policy infomaation fi>r the user identifier includes the trusted authenticating domain identification 

5 o b t ain e d fro m the use r provided in the passwDrd_^p iti pagation request . 

1 Claim 30 (currently amended): The system according to Claim 27, wherein the master registry 

2 stores trust policy information, and wherein the means for verifying that the trusted 

3 authenticatnig domain is trusted further comprises means for checking whether the stored trust 

4 poUcy information for a user groi^ of which the user id^tificalby the user identifier is a member 

5 includes the trusted authentjcgtingLdomain identificatio i i obtAined f i om th e us er provided in the 

6 password propagation request . 

1 Claim 3 1 (currently amended): The system according to Claim 28, wherein the master registry 
Serial No- 09/614,087 -1 1^ Docket RSW9-2000-0074-US1 
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2 stores trust policy infonnation, and v^erein the means far obtaining the identification of the 

3 trusted authenticating domain from the master re^stty ftirtber comprises means for obtaining the 

4 faugted authenticating domain identification using the stored trast policy infomtatiOTx for the user 

5 identifier * 

1 Claim 32 (cunently amended): The system according to Claim 28, wherein the master registty 

2 stores trust policy information, and wherein the means for obtaining the identification of the 

3 trusted authenticating domain fiom the master legistiy further comprises means for obtaining the 

4 trusted authenticating domain identification using the stored trust policy information for a user 

5 group of which the user identified bv the user i dentifier is a member, 

1 Claim 33 (currently amended): The system according to Claim 25, wherein the master r^stry 

2 stores password synchronization policy information, and wherein the means for propagating the 

3 received identiifying secret to the one or more ([other]] target registries fiirther comprises means 

4 for identifying the one or more other tazget registries using the stored passw<H:d synchronization 

5 policy information for the user identifier . 

1 Claim 34 (cittiendy amended): The system according to Claim 25, wherein the master registry 

2 stores password synchronization policy ififiormation^ and wherein the means for propagating the 

3 received identifying secret to the owe or more other target registries finiher comprises means for 

4 identifyii]® the one or more [[other]] target registries using the stored password synchronization 

5 policy information for a user group of vHhich the user identified bv the user identifier is a 

Serial No. 09/614,087 -12- Docket RSW9-2000-0074-US1 
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6 member. 

Claims 35 - 38 (canceled) 

1 Claim 39 (currently amended): The system according to Claim 22, wherein the previouslv-stored 

2 soanred version of the idcntifi ""p was created, at the trusted aiithenticating domain^ by 

3 mcto5 -fo r validating f urther comprises: 

4 mean s for performing a security function on a pteviously-reoeived copy of the r eceived 

5 identifying secret of the user, wherein the security fimctioo comprises one of (i) a one-way 

6 bashing algorithm or (ii) an encryption algorithm; 

7 mt &x\$ for usiug ftx c j ctcc i vc d uscr ide n tifier t o l o ca t e a prcvi o aislys to rcd idcntifyuie 

8 secr et' o f the user which was J tor cd by the trujstcd Authenticathig d o main T^d 

9 wherein the security function is repeated, at the tnisted authenticating domain, on the 

10 fojwardedidentifying: secret of the user, after vrfiich, if a result thereof is Identical to the 

11 pJtadauslyrstorcd secured version, the trusted authenticattne domain then creates the successful 

12 result means for concludia^ tha t t he valida t i o n succ ee ds if the locat e d t dentfP irm g sce t ct is 

13 id e n tic al 'to a itsult of perf o iming the &ecuri t y fijiicti o n > 

1 Claim 40 (currently amended): The system according to Claim 22, wherein the validation result 

2 is created, at the trusted authent tr-arin p Hrt ^ ain, bv means for valida t in g f urth er c fttttp risca means 

3 for invoicing an autbenticaied LDAP bind or other native authentication mechanism of the trusted 

4 authenticating domain^ wheiein Gie r eceived using the forwarded user identifi e r o f the use r and 
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5 the rweivcd idotttiJfying secret of the use r, and wherein the validationjtesult is cr eated uCT'nfy a 

6 result of the LDAP bind or other native authentication mechanism are passed to the totot e d 

7 a r uthcnticating d o main^ th etrby causing the tinstcd Autli e iiticating domain to valida t e the p assed 

8 identifie r aiid identlfyine secr e t and r e t urn a result whteh reports a s uccess or f ailu re-efifae 

9 validation . 

1 Claim 41 (original): The system according to Claim 22, wherein the PSA has administrative 

2 authority for performing operations at the master registry. 

1 Claim 42 (currently amended): The system according to Claim 25^ wherein the PS A ha$ 

2 adiaimstrative authority for petfonning operations at the one or more [fother]] target registries. 

1 Claim 43 (currently amended): A computer-implemented method for securely prop^ating 

2 security credentials usuig a trusted authenticating domain^ comprising steps of: 

3 establidmig a secure eciwecU o ii b et w ee n a cli e n t and a p as s w or d synch ro nization agen t 

4 (PSA); 

5 tecej viim , at tlw PSA bv a o a s s w ot d synchronizatjon agent rPSA^^ from a user at a 

6 ([the]] client device over [[the]] a fet secure connection between the client device and the PSA 

7 on which t he PSA has atrtfaentioated itself to the client device, a password propapatioiijrcqucst 

8 providing an identifier of [[a]] tfjg user and an identifying secret of the use r dui - ing p p opagation 

9 r equest piocessuTg ; 

1 0 validating the user witl i Ut c forwarding ^ by the PSA to a trusted authenticaliTig domain 
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11 over a sec ond secure connection tfaerefaetween on vMch. the trusted authenticatipfi domain has 

1 2 authenticated itself to the PSA- [[using]] the received user identifier atid identifying secret, on 

13 re quest o f the PSA wherein the trusted authenticating domain stores identifying secrets for user 

14 identifiers onhr as secured, non-recoverable versions thereof : 

15 receivings by the PSA from the trusted authenticating domain over the second connection^ 

16 a validation result created by the trusted authenticating domain responsive to the f < ;n ;vy^ing^ the 

17 validation result being a_5ucccssful result if it indicates that the trusted authenticating domain had 

18 Dieviouslv stored for the user jd ^trfiftr , a secured version of the identifving secret: and 

1 9 propagatin gJf^lfae validation result is the successful result the received user identifier 
2 0 aad identifying secret o f the usei dli c ctly flu m the PSA to a master regi stry if the valiJati u ii 

21 succeeds nvRT a thiH miitiiatl Y-autfaenticated secure connection therebetween, such that the 

22 roaster registry can store, for the user identifier, a secured version of the identifying secret, 

1 Claim 44 (currently amended): The computer progmm product according to Claim 1 , further 

2 comprising: 

3 computer-readable program code means for obtaining a new value firom the user to be 

4 used as the propagated identifying secret if the validatio n guceccda has the successful restilt and 

5 computer-readable program code means for substituting [[this]] tiie new value for the 

6 received identifying secret prior to operation of the compiter-readable program code means for 

7 propagating. 

1 Claim 45 (currently amended): The system according to Claim 22, further comprising; 
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2 itieans for obtaining a new vahie fiom the user to be xised as the propagated identijfyii^ 

3 secret if the validatio n at uccccds has t^P^ ]«MH Xcssful result: and 

4 means for substituting [[this]] fllg new value for the received identifying secret prior to 

5 operation of the means for propagating. 

1 Claim 46 (currently amended): The method according to Claim 43, further comprising steps of: 

2 obtaining a new value j6rom the user to be used as the propagated identifying secret if the 

3 validatio n suc c e e ds has the successfid result and 

4 substituting [[this]] flie new value for the received identifying secret prior to operation of 

5 the propagating step. 

1 Claim 47 (new): The method according to Claim 43, A^dierein the forwarding and receiving steps 

2 use secure interprocess communications between the PSA and the trusted authenticating domain 

3 instead of the second connection. 

1 Clabn 48 (new): The method according to Claim 43, v^erein the secured version stored by the 

2 master registry is not required to be identical to the secured version stored at the trusted 

3 authenticating domain. 
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